GHSL-2024-313: Poisoned Pipeline Execution (PPE) in Marimo

Coordinated Disclosure Timeline

• 2024-10-25: Reported to maintainers through GitHub’s Private Vulnerability Reporting (PVR).
• 2024-11-08: Fixed in commit 9668948.

Summary

Marimo is vulnerable to Poisoned Pipeline Execution (PPE) which may allow an attacker to get write permissions to the repository and exfiltrate secrets such as TURBO_TOKEN or NPM_TOKEN

Project

Marimo

Tested Version

Latest commit at the time of reporting.

Details

Poisoned Pipeline Execution (PPE) in marimo-bot.yml workflow. (GHSL-2024-313)

The marimo-bot workflow gets triggered when a Pull Request is commented with the /marimo create-test-release text:

on:
  issue_comment:
    types: [created]
...

jobs:
  create-test-release:
    if: contains(github.event.comment.body, '/marimo create-test-release') && github.event.issue.pull_request

When triggered, the workflow will checkout the Pull Request branch:

      - name: ⬇️ Checkout repo
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          ref: refs/pull/${{ github.event.issue.number }}/head

Since an attacker can send a Pull Request and comment on it, this workflow will allow an attacker to pollute the runner workspace with untrusted code from their Pull Request branch. Some files such as Makefile may allow an attacker to execute arbitrary code. For example, by replacing the fe target in the Makefile as part of the Pull Request, an attacker will be able to execute arbitrary code in the following step:

      - name: 📦 Build frontend
        run: make fe

Impact

The permissions used by the marimo-bot workflow are full-write:

  Actions: write
  Attestations: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

An attacker will be able to use the GITHUB_TOKEN to perform any write operations to the repository. Additionally, they will be able to dump the runner’s memory and exfiltrate any secrets available such as TURBO_TOKEN and NPM_TOKEN.

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-313 in any communication regarding this issue.